Ticket #24 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

Top 10 Honeypots in Activity Report is inaccurate

Reported by: rmcmillen Owned by: [email protected]
Priority: minor Milestone: roo-1.4
Component: Walleye Version: 1.4b3
Keywords: Cc:

Description

The Top 10 Honeypots listing in the activity report does not only show honeypots. It shows the same information as the Top 10 Remote Hosts. It should only show honeypots. Reported by David Watson.

Change History

Changed 10 years ago by rmcmillen

In previous versions of walleye/hflow, argus was used to track flows and the data was placed in the argus table. The argus table contained a boolean column named local which identified local systems (i.e. honeypots). This variable was used in the Top 10 Honeypots query to find the honeypots.

Now, hflow2 keeps track of its own flows and the flow table does not contain a column to identify "local" systems so the Top 10 Honeypots results in Top 10 src ips.

Changed 10 years ago by rmcmillen

  • status changed from new to closed
  • resolution set to fixed

 https://projects.honeynet.org/hflow/changeset/14 contains the changes that allow hflow to keep track of local traffic. It added column to the flow table named is_local and walleye version > 1.2.7 now utilizes that column to display the proper data in both the Top 10 Honeypots, Top 10 Remote hosts, Bidirectional Flows, and Total Flows stats (see ChangeSet? [54].

Note: See TracTickets for help on using tickets.